• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved How to add nginx header for all https sites (but NOT plain http)?

M

mr-wolf

Silver Pleskian
Plesk Guru
It seems we shouldn't be adding this in a file in /etc/nginx/conf.d
Code: 
add_header Strict-Transport-Security "max-age=15768000; preload" always;

By doing that we're adding it to both http and https and that's something we shouldn't do.
I'm doing this and I can assume many others as this was posted in one of the threads in this forum.

I can of course add the header to each https block of each site, but if there is something like a generic setting, this would be more than welcome.

I noticed this ticket: #289 (Add support for HTTP Strict Transport Security (HSTS / RFC 6797)) – nginx

Anyone knows how to put it in a file for all configurations, but stop it from being used in plain http?

Here is the quote from RFC6797 explicitly (MUST NOT) stating it should NOT be for http
RFC 6797 - HTTP Strict Transport Security (HSTS)
7.2
An HSTS Host MUST NOT include the STS header field in HTTP responses
conveyed over non-secure transport.
Click to expand...
 
Last edited:
The answer was in that same link I provided.
I did try the "map solution", but because I was using "always" I couldn't implement it properly without generating a syntax error.
I shouldn't let "always" be part of the variable.

Finally I was able to do it properly and now have this:

cat /etc/nginx/conf.d/aa400_own_tweaks.conf
Code: 
map $scheme $hsts_header {
    https   'max-age=15768000; preload';
}

add_header Strict-Transport-Security $hsts_header always;

ssl_session_timeout         10m;
ssl_session_cache shared:SSL:50m;

ssl_dhparam /etc/dhparam/dhparam4096.pem;

add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
 
Last edited:
You must log in or register to reply here.

Similar threads

P
Resolved Nginx HTTP3 cause invalid redirect on WordPress
Replies
2
Views
3K
Paulo_o
P
F
Issue OCSP for Plesk-Panel does not work
Replies
5
Views
2K
Peter Debik
P
s-light
Question NINGX CORS for multiple sub.domains
Replies
1
Views
818
s-light
s-light
adocsys
Resolved How to add HTTP Security Header on port 80?
Replies
3
Views
2K
adocsys
adocsys
M
Question Global sttings of HSTS via CLI
Replies
6
Views
2K
Peter Debik
P
Back
Top